On Tue, Aug 17, 2010 at 10:32 AM, Pablo Graña <pablo.gr...@globant.com>wrote:
> I partially understand the same origin policy, but not all of its > consequences. If all gadgets are rendered from the same ifr 'service', they > share the same origin. Does that mean that every gadget can walk the dom of > every other gadget in the same page? At least, they could share the > cookies, > but I don't know how relevant is that, given that makeRequest drops the > cookies (does it?). > Yes two iframes that have the same origin can read and modify each others DOM, including reading password fields for example. > The other thing is the rpc_relay.html. I know it is sometimes used for > cross > site communication between iframes, but I still don't know about the > consequences. The documentation states that rpc_relay.html must not be in > the same domain as (I don't remember - was it shindig - the site?) > > Creating one domain per gadget, while possible, forces the host to also > control a dns sub-tree. Is this something done somewhere? How does caja fit > into this picture? > For code in the caja subset of javascript/html, the cajoled gadget can safely be on the same origin as the container. The security policy does not rely on origin but rather the choice and implementation of APIs that the container exposes to the gadget. > I again apologize for my ignorance, any pointer or documentation, will be > greatly appreciated. > > thanks a lot > > On Tue, Aug 17, 2010 at 9:46 AM, Christiaan Hees <christi...@q42.nl> > wrote: > > > You probably even want each gadget iframe to be rendered on a different > sub > > domain or else they'll be able to influence eachother through the dom. > > Anyway, I ended up doing the metadata call on the serverside and passing > > only the result to the client js which seems to work fine. > > > > On Tue, Aug 17, 2010 at 1:17 PM, Bastian Hofmann > > <bashofm...@googlemail.com>wrote: > > > > > If shindig and your container are on the same domain all gadgets have > > > full access to your container javascript, can manipulate the dom of > > > your page and access your user's cookies. > > > > > > See http://en.wikipedia.org/wiki/Same_origin_policy > > > > > > 2010/8/17 Pablo Graña <pablo.gr...@globant.com>: > > > > I apologize for my ignorance, but I can't figure out why is it a > > security > > > > risk. > > > > > > > > On Tue, Aug 17, 2010 at 7:16 AM, Tim Wintle < > tim.win...@teamrubber.com > > > >wrote: > > > > > > > >> On Wed, 2010-08-11 at 13:01 -0400, Gregg Horan wrote: > > > >> > I've been successful using apache in front and doing rewrites on / > > > >> > gadgets, /social, etc. > > > >> > > > >> I may be misunderstanding, but you don't really want to be hosting > > your > > > >> site on the same (domain, port) as shindig for security reasons. > > > >> > > > >> > > > >> > > > > > > > > > > > > -- > > > > Pablo Gra\~na > > > > Chief Architect > > > > Globant > > > > Arg Office: +54 (11) 4109 1743 > > > > UK Office: +44 (20) 7043 8269 int 8043 > > > > US Office: +1 (212) 400 7686 int 8043 > > > > > > > > > > > > > -- > Pablo Gra\~na > Chief Architect > Globant > Arg Office: +54 (11) 4109 1743 > UK Office: +44 (20) 7043 8269 int 8043 > US Office: +1 (212) 400 7686 int 8043 >
